Software

Is this an ASP.NET Core I see before me? Where to next for Microsoft's confusing web framework...

Too many choices?


Microsoft's ASP.NET Core, a web application framework (or more accurately, a family of frameworks), has made strides in performance and innovation, but its rapid development has resulted in a bewildering range of choices facing developers.

The original ASP.NET was launched simultaneously with .NET itself, way back in 2002, co-developed by Microsoft’s Scott Guthrie and Mark Anderson. It was a replacement for the COM-based Active Server Pages. Perhaps the best and worst thing about ASP.NET 1.0 was the form-based programming model that (somewhat) handled state management for you, making it an easier transition for desktop developers, but with downsides in areas like unit testing, responsive user interfaces, and compatibility with modern JavaScript libraries. Now called web forms, this approach is still popular, but limited to the Windows-only .NET Framework.

In early 2009 Microsoft launched ASP.NET MVC, a new framework based on the model-view-controller pattern. It had many advantages over web forms, including better performance, easy integration with JavaScript, amenable unit testing, and a cleaner programming model. Although it was widely adopted in the .NET community, some developers preferred to stick with the mature web forms approach. Further confusing matters, it is possible to combine MVC and web forms, by using MVC routing with web forms pages.

As ASP.NET MVC evolved, Microsoft developed the Razor syntax for View pages. Razor lets you combine C# code and HTML mark-up with minimal ceremony. Razor was initially used for ASP.NET MVC but soon took on a life of its own, with support for projects that use Razor pages but without the MVC pattern.

Then came .NET Core and ASP.NET Core, first fully released in 2016, Microsoft's official cross-platform and open source implementation of .NET. The company implemented ASP.NET Core MVC, but not web forms.

To Blazor with you

In 2018, a new approach called Blazor joined the fray. Blazor began life with the Xamarin (.NET for mobile and Mac) team at Microsoft, who were working on compiling the Mono .NET runtime to WebAssembly. The name is a combination of Browser and Razor. The initial idea was to have a framework for single page applications (SPAs) written in C# and running in the browser. Developers could write C# everywhere, as opposed to mixing C#, JavaScript and perhaps TypeScript. Visual Studio, the primary tool for developing with ASP.NET, is a much better editor for C# than it is for JavaScript.

Blazor was released as part of .NET Core 3.0 in September 2019, by which time it had somewhat changed shape. The initial release is for Blazor server-side applications, which does not use WebAssembly at all. Instead, Razor components run on the server and update the browser user interface via SignalR, Microsoft's framework for real-time communications.

Blazor WebAssembly is in preview. The code the developer writes for Blazor Server or Blazor WebAssembly is pretty much the same, but the outcome is very different. As the documentation notes, with Blazor Server, "Higher latency usually exists. Every user interaction involves a network hop." Blazor Server also has advantages, with smaller download size and no requirement for WebAssembly support, but the WebAssembly option looks more attractive for most scenarios.

There is also ASP.NET Web API, a framework for building REST APIs with models and controllers adapted from ASP.NET MVC, which is suitable for serving data to mobile as well as web applications.

Microsoft presents some of the choices for ASP.NET Core

Strong features of ASP.NET Core are that it is cross-platform, well suited to container deployment, and easily tested. Another key feature is dependency injection, where classes do not directly create instances of the service objects on which they depend, but have them passed to them, usually in the constructor. This achieves loose coupling, a good principle but one which can be confusing for beginners. Tooling for ASP.NET Core is flexible, a far cry from the days when developing outside Visual Studio was painful. Today you can also use Visual Studio for the Mac, the cross-platform Visual Studio Code, or any text editor.

Microsoft's web platform is not as confusing as its desktop platform, but does present developers with a confusing array of choices. One of them, ASP.NET MVC, is not quite deprecated but heading in that direction. Microsoft's documentation now says that: "For new development, we recommend Razor Pages over MVC with controllers and views."

In fact, the documentation authors cannot keep up with all the permutations. The page referenced above, a tutorial for data access with ASP.NET MVC, states that "There is a Razor Pages version of this tutorial. Each tutorial covers some material the other doesn't."

Architecture choices

The company offers a free book [PDF] on architecting ASP.NET Core applications which offers some clues about how Microsoft sees these choices. Web Forms, it says, "continues to be a robust and reliable platform." Blazor "provides a rich client experience," and is ideal where "your team is more comfortable with .NET development than JavaScript or TypeScript."

Traditional web applications (like ASP.NET MVC or Razor Pages) are aimed at simple applications or where teams are unfamiliar with JavaScript or TypeScript. SPAs are for rich experiences but "require greater architectural and security expertise," said the author Steve Smith. The book is a good read for newcomers trying to make sense of the platform overall, with explainers on all the essential pieces, including commonly used JavaScript frameworks like jQuery, Angular, React.js and Vue.js.

Architecting an ASP.NET application: a handy book for navigating the key concepts

Steve Gordon, a senior .NET developer at Brighton-based Madgex, which develops recruitment software, is also a .NET trainer and has been using ASP.NET since its first introduction. He now uses ASP.NET Core and says "it's a very efficient product to work with, we can build out microservices very quickly and very easily with it."

He says the platform is not so confusing if you have followed it through the various changes. What does he think of Blazor? "I can see that it might be an easier onboarding experience for someone experienced in building single-page apps with Node.js to make a transition, as well as to help .NET developers that are more familiar with C# to continue coding and working in the browser," he told The Register.

One of the issues with ASP.NET Core is that new releases bring breaking changes. Gordon says that part of the solution for enterprise developers is to note Microsoft's different support models for long term support (LTS) releases. For example, .NET 3.0 is not an LTS release, but .NET 3.1 is. The policy is laid out here. "I've seen developers fall into the trap that they adopt the latest current release not realising that the support will run out soon, where Microsoft has historically supported things much longer."

Microsoft does tend to tangle ASP.NET Core with another of its frameworks, the database object-relational mapping technology called Entity Framework EF Core. At its best, it is like magic: developers simply write C# classes to represent data, and EF generates the tables and lets developers work with C# objects rather than having to think about the database. There are a number of snags, though. If you take a naïve approach to using EF Core, performance often becomes a problem, and the simplicity tends to dissolve where relationships are complex. It may not work well if you use databases other than Microsoft's SQL Server, for which it is a kind of marketing tool.

The issue is nicely expressed here, by DevOps engineer Michael Hoagland: "If you want to let your applications actually use even a fraction of what you’re paying those huge licensing fees for, stop constraining SQL to an EF driven hellish wasteland of something little better than SELECT *."

Hoagland argues that EF can be used efficiently, but that this is rarely the case, in part because Microsoft's documentation leads developers down the wrong path.

Developers in search of better performance may wish to look at Dapper, a thin object mapper for .NET that requires developers to know their SQL, but in return delivers much faster results.

StackOverflow survey shows that while developers enjoy working with ASP.NET, it doesn't appeal strongly to those not yet using it

The most recent StackOverflow technology survey shows ASP.NET used by 26.3 per cent of respondents, scoring 64.9 per cent for "most loved" and 35.1 per cent for "most dreaded." These are not bad figures, but most telling is that the platform scores only 3.7 per cent under "most wanted,” supporting a suspicion that while Microsoft’s move towards open source and cross-platform with .NET Core and ASP.NET Core have helped developers like Gordon stay on board with the company’s web platform, it has not been so successful in attracting new developers from elsewhere. One of the issues, perhaps, is that Microsoft tends to present it as part of a package including Entity Framework, SQL Server and even Azure. That must be good for product adoption, but does conflict with its effort to appeal to a wider community. ®

Send us news
32 Comments

Microsoft unboxes Exchange Online certification in bid to push customers off-prem

More support engineers needed to keep the email flowing, it seems

Microsoft has added a certification to augment the tired eyes and haunted expressions of Exchange support engineers.

The "Microsoft 365 Certified: Exchange Online Support Engineer Specialty certification" was unveiled yesterday and requires you to pass the "MS-220: Troubleshooting Microsoft Exchange Online" exam.

Continue reading

Microsoft postpones shift to New Commerce Experience subscriptions

The whiff of rebellion among Cloud Solution Providers is getting stronger

Microsoft has indefinitely postponed the date on which its Cloud Solution Providers (CSPs) will be required to sell software and services licences on new terms.

Those new terms are delivered under the banner of the New Commerce Experience (NCE). NCE is intended to make perpetual licences a thing of the past and prioritizes fixed-term subscriptions to cloudy products. Paying month-to-month is more expensive than signing up for longer-term deals under NCE, which also packs substantial price rises for many Microsoft products.

Channel-centric analyst firm Canalys unsurprisingly rates NCE as better for Microsoft than for customers or partners.

Continue reading

Supply chain blamed amid claims of Azure capacity issues

Microsoft says it'll move to 'restrict trials and internal workloads to prioritize growth of existing customers'

Microsoft's Azure cloud is having difficulty providing enough capacity to meet demand, according to some customers, with certain regions said to refusing new subscriptions for services.

Azure comprises over 200 datacenters globally spread across 60 regions, but reports suggest that over two dozen of these are operating with limited capacity, and that the cloud and IT giant is being forced to prioritize resources in order to serve existing customers.

According to technology news site The Information, capacity issues are affecting Azure datacenters in Washington State in the US as well as across Europe and Asia, and it claims that server capacity is expected to remain limited until early next year, citing a Microsoft insider.

Continue reading

Start using Modern Auth now for Exchange Online

Before Microsoft shutters basic logins in a few months

The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

"Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

Continue reading

Microsoft gives its partners power to change AD privileges on customer systems – without permission

Somewhat counterintuitively, this is being done to improve security

Microsoft has created a window of time in which its partners can – without permission – create new roles for themselves in customers' Active Directory implementations.

Which sounds bonkers, so let's explain why Microsoft has even entertained the prospect.

To begin, remember that criminals have figured out that attacking IT service providers offers a great way to find many other targets. Evidence of that approach can be found in attacks on ConnectWise, SolarWinds, Kaseya and other vendors that provide software to IT service providers.

Continue reading

FabricScape: Microsoft warns of vuln in Service Fabric

Not trying to spin this as a Linux security hole, surely?

Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

Continue reading

PowerShell pusher to log off from Microsoft: Write-Host "Bye bye, Jeffrey Snover"

'If you ever were rooting for somebody, please do him a favor and go tell him'

Jeffrey Snover's lengthy and occasionally controversial term at Microsoft is to come to an end this week, as the PowerShell inventor sets off for pastures new after more than two decades at the Windows giant.

Continue reading

Rufus and ExplorerPatcher: Tools to remove Windows 11 TPM pain and more

Turn off chip detection, bypass need for a Microsoft account, change how Explorer works

The latest beta of the popular Windows USB creation tool Rufus adds some handy features, such as removing Microsoft account requirements and turning off TPM chip detection – and there are others too.

In olden times, PCs used to come with recovery disks so that if your hard disk died you could fit a new one and reinstall. Then optical drives started to fade away, and PC makers found it saved money if they didn't include the disks and just put a recovery image on the hard disk. Happily, though, Microsoft made downloads of ISO images of Windows free on its website.

If you try to download on another copy of Windows, it tries to push the Microsoft Media Creation Tool at you, but you can refuse and use your own. If you do, Rufus is a good alternative.

Continue reading

Microsoft promises to tighten access to AI it now deems too risky for some devs

Deep-fake voices, face recognition, emotion, age and gender prediction ... A toolbox of theoretical tech tyranny

Microsoft has pledged to clamp down on access to AI tools designed to predict emotions, gender, and age from images, and will restrict the usage of its facial recognition and generative audio models in Azure.

The Windows giant made the promise on Tuesday while also sharing its so-called Responsible AI Standard, a document [PDF] in which the US corporation vowed to minimize any harm inflicted by its machine-learning software. This pledge included assurances that the biz will assess the impact of its technologies, document models' data and capabilities, and enforce stricter use guidelines.

This is needed because – and let's just check the notes here – there are apparently not enough laws yet regulating machine-learning technology use. Thus, in the absence of this legislation, Microsoft will just have to force itself to do the right thing.

Continue reading

Wi-Fi hotspots and Windows on Arm broken by Microsoft's latest patches

Only way to resolve is a rollback – but update included security fixes

Updated Microsoft's latest set of Windows patches are causing problems for users.

Windows 10 and 11 are affected, with both experiencing similar issues (although the latter seems to be suffering a little more).

KB5014697, released on June 14 for Windows 11, addresses a number of issues, but the known issues list has also been growing. Some .NET Framework 3.5 apps might fail to open (if using Windows Communication Foundation or Windows Workflow component) and the Wi-Fi hotspot features appears broken.

Continue reading

Microsoft teases Outlook Lite for Android

What are the 'main benefits' of Outlook? Whatever they are, that's all you'll get

Microsoft is readying a "Lite" version of its flagship messaging and calendar app for Android.

News of the app appeared on the software giant's feed of forthcoming items on the Windows 365 Roadmap.

The description offered is scanty: "An Android app that brings the main benefits of Outlook in a smaller app size with fast performance for low-end devices on any network."

Continue reading

Windows 11: The little engine that could, eventually

Stalled marketshare seems to be creeping upwards again in consumer, enterprise – but adoption still a slog

Advertising company AdDuplex has published its latest set of Windows usage figures and it looks like there might be light at the end of the tunnel for Windows 11.

Only the most ardent Microsoft apologists would insist all is well with Windows 11 adoption. Share growth of the OS stalled earlier this year and between March and April, with AdDuplex registering less than a 0.4 per cent increase. Windows 11 stood at a 19.7 per cent share, well behind the 35 percent and 26.4 percent of Windows 10 21H2 and 21H1 respectively.

The figures for the end of June show Windows 11 has clawed its way to a 23.1 percent share of PCs surveyed by AdDuplex, within touching distance of the chunk occupied by Windows 10 21H1 (23.9 percent) but still a long way behind Windows 10 21H2, which grew its share to 38.2 percent. Microsoft itself has not produced any official usage statistics.

Continue reading